Deceptive Invoices Deliver Malware Payload in Multi-Layered Attack

Cybersecurity researchers have uncovered a cunning cyberattack campaign that utilizes seemingly innocuous invoices to deliver a multi-stage malware attack. This deceptive tactic leverages phishing emails, which contain malicious Scalable Vector Graphics (SVG) file attachments. Upon opening the attachment, an intricate infection sequence unfolds, potentially unleashing a variety of malware strains onto the victim's system.

Fortinet's FortiGuard Labs, a leading cybersecurity research team, identified a range of malware deployed through this invoice-themed phishing scheme. These malicious payloads include Remote Access Trojans (RATs) such as Venom RAT, Remcos RAT, NanoCore RAT, and XWorm. Additionally, the attack arsenal incorporates a cryptocurrency wallet stealer, designed to pilfer digital currency holdings from unsuspecting users.

The attack's complexity lies in its multi-layered approach. The SVG attachments themselves act as triggers, initiating the infection process once opened by the target. Further obfuscation techniques come into play with the extensive use of the BatCloak malware obfuscation engine. This tool, available for purchase by cybercriminals since late 2022, is a descendant of another obfuscation tool called Jlaive. BatCloak's primary function is to mask the subsequent malware stages, allowing them to bypass conventional detection methods employed by security software.

ScrubCrypt, another layer in this elaborate attack, takes the obfuscated code a step further. It encrypts the malicious code, making it even more challenging for security systems to identify and prevent the infection. Once the obfuscated layers are peeled back, the malware payload typically arrives in the form of encoded batch scripts. These scripts then download and execute the final malicious program onto the compromised system.

The emergence of this multi-stage invoice phishing attack underscores the evolving tactics employed by cybercriminals. The attackers' strategic use of readily available obfuscation tools and cryptocurrency-targeting malware highlights the increasing sophistication of these online threats. Security researchers emphasize the importance of user vigilance, particularly with regards to unsolicited email attachments, even those disguised as invoices or other seemingly legitimate documents. Furthermore, businesses are advised to implement robust security measures, including advanced email filtering systems and employee training programs focused on recognizing phishing attempts.